Wednesday, January 16, 2013

Child Pornography, the Expert Witness and Daubert

This post examines a recent opinion issued in a pending
child pornography case. All I know about
the facts in the case is that “[o]n On August 8, 2012, . . . Bryan James
Gardner was indicted on one count of possession of child pornography” in
violation of 18 U.S. Code § 2252A(a)(5)(B) and “one count of distribution of
child pornography” in violation of 18 U.S. Code § 2252A(a)(2). U.S. v. Gardner, 2012 WL 5285376 (U.S.District Court for the District of Utah 2012).

One of the opinions in the case notes that Gardner is
accused of “possessing child pornography images on the Gardner family computer .
. . and distributing child pornography images by uploading images to the social
networking Internet siteNing.com using a Verizon wireless . . . Internet access
device.” U.S. v. Gardner, 2012
WL 6680395 (U.S. District Court for the District of Utah 2012) (hereinafter U.S. v. Gardner, supra).

As of earlier this month, the case was set to go to trial on
January 14 of this year. U.S. v. Gardner, 2013 WL 53752 (U.S.
District Court for the District of Utah 2013).

In preparing for trial, Gardner filed several motions that
were directed at keeping certain evidence out and also “notified the United
States that [at trial] he intends to rely on the testimony of Steven Moshlak,
whom Gardner has designated as an expert in computer forensics.” U.S. v. Gardner, supra. While the prosecution did not “ challenge Moshlak's
qualifications as a computer forensics expert,” it did “challenge,
under Federal Rule of Evidence 702 and Daubert v. Merrell Dow
Pharmaceuticals, Inc., 509 U.S. 579 (1993), Moshlak's application of
the methodology used and the reliability and relevancy of the opinions he
offers in his report.” U.S. v. Gardner, supra.

The Federal Rules of Evidence govern the admissibility of
evidence in federal trials, and Rule 702 deals with the admissibility of expert
evidence, providing as follows:

A witness who is qualified as an expert
by knowledge, skill, experience, training, or education may testify in the form
of an opinion or otherwise if:

(a) the expert’s
scientific, technical, or other specialized knowledge will help the trier of
fact to understand the evidence or to determine a fact in issue;

(b) the testimony is based
on sufficient facts or data;

(c) the testimony is the
product of reliable principles and methods; and

(d) the expert has reliably
applied the principles and methods to the facts of the case.

As Wikipedia explains, the Supreme Court’s decision in the Daubert case changed the existing
standard for admitting expert testimony in federal cases to one that has been
incorporated into Rule 702. The Daubert Court held that expert testimony
is admissible if it involves scientific knowledge that will assist the trier of
fact and if the trial judge has determined that the reasoning or methodology
underlying the testimony is scientifically valid and can properly be applied to
the facts in issue. (If you would like
to check out the prior standard, you can find a description of it in
Wikipedia’s entry on Daubert.)

The district court judge held a Daubert hearing on Moshlak’s proffered testimony and ultimately
held that he would be allowed to testify “as an expert witness at trial but his
testimony will be limited to a narrower set of conclusions than was proffered
in his report.” U.S. v. Gardner, supra. That
brings us to results of the Daubert
hearing. The opinion explains that
Moshlak reviewed the “same forensic images” of two hard drives

that were seized and reviewed by the
United States's investigators and computer forensics experts. The hard drives
were taken from the Gardner family computer (one was seized from the Gardner
home and the other was seized at PC Laptops, where the drive was being repaired
at the time the search warrant was executed). The computer investigation concerning
Count 1 centers on the contents of the hidden thumbs.db file, as well as the
email addresskidpower12345@yahoo.com. The investigation concerning Count 2
focuses on the social networking siteNing.com, two email addresses
(kidpower12345@yahoo.com and kidpower2009@live.com), the websiteimgsrc.ru
(referred to as `Image Source), and a wi-fi device.

Moshlak
primarily used the . . . Forensic Toolkit (FTK) to do his review. That is the
same program used by the Government's computer forensics experts. . . . [T]he
Government does not challenge the soundness of the FTK methodology.

Moshlak
also reviewed discovery materials provided by the Government to Gardner, and
apparently did his own research and investigation . . . (for example, by
contacting Verizon about the type of modem allegedly used by Mr. Gardner). . .
.

U.S. v. Gardner,
supra.

The “end result” of his
investigation and analysis was his “`Computer Expert Witness Report’” and an
addendum to the report. U.S. v. Gardner, supra. The report “sets forth roughly fourteen
conclusions”, which the government challenged for the reasons noted above. U.S. v.
Gardner, supra. I am not going to go
through the judge’s ruling on all fourteen, but I will summarize her holdings
on what I see as the more important and/or interesting issues.

Moshlak presumes there were multiple
users of the computer . . . based on the existence of computer directories and
files bearing different names and containing resumés of individuals other than
Gardner. Even though the United States agrees that several members of the
Gardner family had access to the computer . . ., the court will not allow Moshlak
to testify about his conclusion as it is presently worded. As written, his
conclusion is not an expert conclusion based on scientific, technical, or other
specialized knowledge.

Whether more than one person, and, if so, who, used the
computer, is a fact question for the jury to decide. Moshlak’s proffered
testimony would usurp the role of the jury.
Moshlak, however, will be allowed to testify that during his review of
the Gardner family computer, he observed files, directories, and documents with
names other than Bryan Gardner. He may not extrapolate further.

U.S. v. Gardner,
supra.

Conclusion #2: “HP
Owner” was the generic user name assigned to anyone accessing the family
computer

This conclusion is relevant. But the
court is concerned with the phrasing used by Moshlak. The court will allow
Moshlak to state his opinion, but only if it is framed in a way that more
accurately reflects the nature of the fact (and to the extent it is not
cumulative). That is, rather than stating that the `HP_Owner’ was not
associated with Gardner, Moshlak may point out that the `HP_Owner’ name was not
associated with or assigned to any particular individual using the computer.

U.S. v. Gardner,
supra.

Conclusion #3: No Relative Identifiers (RIDs) or Security
Identification Descriptors (SIDs) were associated with Gardner on the family
computer

The analysis of Conclusion 2 also
applies here. The court finds the lack of RIDs and SIDs to be somewhat
relevant. However, Moshlak may not present his opinion in the matter phrased in
his report. He may point out to the jury that there are no RIDs or SIDs
associated with anyone on the Gardner family computer. This is more accurate
than the artificial spin he places on the lack of RIDs and SIDs in an effort to
eliminate Gardner as a possible user of the family computer.

U.S. v. Gardner,
supra.

Conclusion #5: The [RegionalComputer Forensic Laboratory] report did not identify any actors and so the
report, as well as the analysis of Government agents who generated the report,
is insufficient.

The court agrees with the United States
that this conclusion is not relevant, not based on scientific, technical or
other specialized knowledge, and is not based on sufficient facts or data. The
RCFL computer forensics examiners do not do investigative work. Moshlak's
conclusion assumes they are required to do so in order to do their jobs
effectively. But the type of investigation to which Moshlak is referring was
not part of the RCFL experts' scope of work.

Moreover, Moshlak has no
specialized expertise regarding the job of a government computer forensic examiner.
As the United States notes, the Department of Justice guide for law enforcement
is not sufficient data for Moshlak to speculate about what individuals involved
with this case should have done. The court excludes any testimony of this
nature.

U.S. v. Gardner,
supra.

Conclusion #6(B): The image modification dates in the
thumbs.db file suggest that Gardner could not have downloaded or viewed the
images because the dates coincide with the dates Mr. Gardner was in prison.

Based on a long colloquy during the Daubert hearing,
Moshlak admitted that the modification dates in the thumbs.db file do not have
any bearing on whether Gardner downloaded or viewed the images on the Gardner
family computer. . . .Accordingly, this conclusion is excluded as unhelpful to
the jury.

U.S. v. Gardner, supra.

Conclusion #7: The thumbs.db is a hidden file in the
Gardner family computer that cannot be accessed without specialized computer
knowledge and tools.

This conclusion is not relevant. The
Government does not contend that Gardner accessed the thumbs.db file to store
or view child pornography images. The conclusion, while accurate, would not be
helpful to the jury. In fact, it would be confusing. It suggests that Gardner
could not have done what the Indictment alleges because he does not have
specialized knowledge or tools to access the thumbs.db file. This testimony is
excluded.

U.S. v. Gardner,
supra.

Conclusion #9:Yahoo Companion toolbar has a button for
kidpower12345@yahoo.com that allows anyone to access the email account.

The United States contends that
although `[t]he fact that kidpower12345 is in Yahoo Companion is not disputed,
the conclusion about how it works is not based on sufficient facts or reliable
methodologies. . . .The court agrees.

As part of his conclusion, Moshlak
testified that `anybody that goes ahead and activates a Web browser has the
ability to go ahead and log in as kidpower12345[.]’ . . . Moshlak provided no
factual basis for such a conclusion or any reason for the court to believe that
he has expertise regarding the Yahoo Companion toolbar or that he can explain
why he reached this conclusion.

Because Moshlak's Conclusion 9 was unsupported,
it is excluded at this time. The court will reconsider this ruling if the
defense is able to provide the court with a more thorough analysis and a
complete record in support.

U.S. v. Gardner,
supra.

Conclusion #10(B): Conclusions based on IP Addresses

In his report, Mr. Moshlak states,

No traceroute data analysis was provided, as to
the network which was used, in determining if a nexus between [Gardner] and his
USB modem could be established. In review of the material provided [sic] shows
no Verizon Access Manager connectivity, but does show QWEST as a potential
provider of services. In addition an IP address analysis was performed based
upon the Username logons and user names provided [by] Ning, and the IP address
data that was provided in this case, with the user logon, related to a number
of different areas in the nation. A number of these IP addresses resolved to
various other parts of the nation, including [over twenty locations within the
United States]. . . .

[Gardner] has failed to show that Moshlak's IP address analysis
was based on sufficient facts or data. The source of information and the nature
of the conclusion are both in question. The IP address analysis and conclusions
do not make sense.

On the stand, Moshlak himself admitted that he did not know
how someone could log-in over 300 times on a particular date or from multiple locations
throughout the country. He said, `something tells me something isn't right. We
ought to go back and take a look at it.’ Unless and until the defense can come
up with a more thorough analysis and explanation for the conclusion, Moshlak's
testimony in this area is excluded.

U.S. v. Gardner,
supra.

Conclusion #13: There were viruses on the Gardner family
computer.

During testimony, Moshlak admitted
under cross-examination that the viruses could not have created the images of
child pornography in the thumbs.db folder. Absent any evidence (other than the
speculation offered by [Gardner]) that a third party hacked into the Gardner
family computer to download the offending images, Moshlak's conclusion is, at
best, not relevant, and would confuse the jury.

U.S. v. Gardner,
supra.

The judge therefore granted the prosecution’s motion to
exclude Moshlak’s expert testimony in part and denied it in part. U.S. v.
Gardner, supra.